b'  United States Department of State\n       Office of Inspector General\n\n\n\n\n            Executive Summary\n\nGovernment Information Security Reform Act\n           FY 2002 Submission\n\n            September 16, 2002\n\x0c                                               UNCLASSIFIED\n\nEXECUTIVE SUMMARY\nPURPOSE\n       In response to the Government Information Security Reform Act (GISRA),1 the Office of\nInspector General (OIG) performed an independent evaluation of the information security\nprogram and practices of the Department of State (Department). This executive summary\nprovides the results of OIG\xe2\x80\x99s evaluation in two parts. Part I summarizes the results of OIG\xe2\x80\x99s\nreview of the Department\xe2\x80\x99s information security program. Part II contains OIG\xe2\x80\x99s assessment of\nthe Department\xe2\x80\x99s information security program using performance measures provided by the\nOffice of Management and Budget (OMB).\n\nPART I\nResults of OIG\xe2\x80\x99s Information Security Program Evaluation (Report IT-A-02-06)\n\n        OIG\xe2\x80\x99s evaluation of the effectiveness of the Department\xe2\x80\x99s information security program\nfound several key areas of security that still require management attention. Specifically, OIG\nconcluded that the Department has made slow progress in addressing information security\nweaknesses identified in OIG\xe2\x80\x99s September 2001 GISRA report.2 In response to the report, the\nDepartment developed a strategy to address a key deficiency: the lack of certification and\naccreditation of its information systems. However, the Department has not developed a\ntimetable for certification and accreditation of all systems, and as of August 2002, only four\npercent of its systems had been certified and accredited. Further, according to OIG\xe2\x80\x99s survey\nquestionnaire, although 72 percent of the Department\xe2\x80\x99s 358 systems are reported to have\nsecurity-level determinations, only 15 percent are reported to have security plans.\n\n        In addition, in FY 2002, OIG reported on information security vulnerabilities through its\nreviews of key information management programs. For example, in its February 2002 report3 on\nthe Classified Connectivity Program (CCP), a project to implement classified processing\ncapability at overseas missions, OIG reported that the Department has not developed a definitive\nstrategy for managing the security risks of its CCP deployments. Specifically, OIG reported that\nthe Department had not completed the steps needed to certify and accredit the classified\nWindows NT LAN in accordance with federal requirements.\n\n        Finally, at overseas missions, OIG found significant weaknesses in information security\nmanagement. Specifically, OIG determined that the information systems security officers\n(ISSO) generally were not performing all the requisite duties of the position. In addition, none of\nthe 11 missions that OIG visited had developed information systems security plans. Further,\nOIG found deficiencies in management, technical and operational controls, thus increasing the\nrisk to mission operations.\n\n\n\n\n1\n  Public Law No. 106-398, Div. A, Title X, Subtitle G., 114 Stat. 1654A (2000), 44 U.S.C. 3531 et seq.\n2\n  Senior Management Attention Needed to Ensure Effective Implementation of the Government Information Security\nReform Act (Report Number 01-IT-M-082, September 2001).\n3\n  Classified Connectivity Program: Progress and Challenges (Report Number IT-A-02-01, February 2002).\n                                             UNCLASSIFIED                                                        2\n\x0c                                                UNCLASSIFIED\n\n  Part II\n  OIG Assessment of the Department\xe2\x80\x99s Information Security Program Based on OMB\n  Performance Measures\n\n\nA. General Overview\n  1. Not Applicable\n\n  2. Identify and describe as necessary the total number of programs and systems in the agency, the total\n  number of systems and programs reviewed by the program officials, CIOs, or IGs in both last year\xe2\x80\x99s\n  report (FY01) and this year\xe2\x80\x99s report (FY02) according to the format provided below. Agencies should\n  specify whether they used the NIST self-assessment guide or an agency developed methodology. If the\n  latter was used, confirm that all elements of the NIST guide were addressed.\n\n\n                      TABLE A.1:    DEPARTMENT OF STATE PROGRAMS AND SYSTEMS\n\n                                                                                           FY 2001      FY 2002\n     2a     Total number of agency programs.                                                 NA           211\n     2b     Total number of agency systems reported to OIG in its Department survey.         370          358\n     2c     Total number of programs reviewed by OIG.                                         0            12\n     2d     Total number of systems reviewed by OIG.                                         16            9\n          Note: Line 2a is the sum of those missions with MPP reporting requirements [181] + Bureaus [27] +\n          Financial Service Centers [3].\n\n  OIG developed two data collection surveys to obtain general information about the Department\xe2\x80\x99s\n  information security program. The first survey determined the Department\xe2\x80\x99s universe of\n  systems. The second survey highlighted five of the Department\xe2\x80\x99s major information systems.\n  OIG selected these systems according to their importance to the Department in the areas of\n  human resources, inventory management, financial management, public diplomacy, and\n  classified information processing.\n\n  The questions pertained to management and operational controls. More specifically, the\n  questions focused on security control reviews, personnel security, contingency planning, data\n  integrity, security awareness, training, education, and incident response capabilities. The\n  questions in the surveys came directly from the National Institute of Standards and Technology\n  (NIST) self-assessment guide, which OIG edited to cover risk and vulnerability assessments,\n  security controls, life cycle, certification and accreditation, information system security plans,\n  personnel security, contingency plans, data integrity, documentation, and incident response\n  capability.\n\n  OIG did not independently verify the information collected from the first survey, but did\n  selectively verify key information from responses to the second survey. Additionally, OIG\n  conducted independent audit and inspection work on 12 Department programs and four other\n  systems, again relying on the NIST self-assessment guide.\n\n\n                                             UNCLASSIFIED                                                     3\n\x0c                                                       UNCLASSIFIED\n   3. Identify all material weakness in policies, procedures, or practices as identified and required to be\n   reported under existing law. (Section 3534(c)(1)-(2) of the Security Act.) Identify the number of\n   reported material weaknesses for FY 01 and FY 02, and the number of repeat weaknesses in FY02.\n\n\n                          TABLE A.2:     DEPARTMENT OF STATE MATERIAL WEAKNESSES\n\n                                                                                       FY 2001    FY 2002\n       3a     Number of material weaknesses reported.                                     4          3\n       3b     Number of material weaknesses repeated in FY 2002.                         NA          3\n\n   In FY 2001, the Department had four material weaknesses on its books. Three of these were\n   reported under the Federal Managers Financial Integrity Act (FMFIA),4 as follows:\n\n            \xe2\x80\xa2 inadequate administrative staffing overseas;\n            \xe2\x80\xa2 integration of grants tracking system; and\n            \xe2\x80\xa2 exchange visitor information system.\n\n   The Department\xe2\x80\x99s fourth material weakness for FY 2001 was: \xe2\x80\x9cinformation systems security for\n   networks in domestic operations.\xe2\x80\x9d This weakness was brought to the Department\xe2\x80\x99s attention in a\n   U.S. General Accounting Office (GAO) review, and it was cited in OIG\xe2\x80\x99s audit of the\n   Department\xe2\x80\x99s financial statements under the Federal Financial Management Improvement Act of\n   1996.5 Although the weakness was closed for FMFIA purposes as GAO closed out the\n   recommendations pertaining to it, it is still considered a material weakness for financial\n   statement purposes and is reported in the Department\xe2\x80\x99s FY 2001 Accountability Report.\n\n   On June 27, 2002, the Department\xe2\x80\x99s Management Control Steering Committee voted to close the\n   material weakness concerning \xe2\x80\x9cinadequate administrative staffing overseas,\xe2\x80\x9d and it will not be\n   reported in the FMFIA report for FY 2002. The Committee added the other two material\n   weaknesses from last year to the agenda for consideration on closing at the next Management\n   Control Steering Committee meeting, scheduled for September 2002.\n\n\nB. Responsibilities of Agency Head\n   1. Identify and describe any specific steps taken by the agency head to clearly and unambiguously set\n   forth the Security Act\xe2\x80\x99s responsibilities and authorities for the agency CIO and program officials.\n   Specifically how are such steps implemented and enforced? Can a major operating component of the\n   agency make an IT investment decision without review by and concurrence of the agency CIO?\n\n   In August 2001, the Department took the following key steps:\n\n          \xe2\x80\xa2    The Deputy Secretary issued a Delegation of Authority to the CIO, empowering him to\n               administer the Department\xe2\x80\x99s information security program.\n\n\n   4\n       Public Law No. 97-255, 96 Stat. 814 (1982).\n   5\n       Public Law No. 104-208, Div. A, Title I, 110 Stat. 3009-389 (1996).\n\n                                                    UNCLASSIFIED                                              4\n\x0c                                         UNCLASSIFIED\n\n   \xe2\x80\xa2   The CIO designated the deputy assistant secretary for countermeasures and information\n       security as the senior agency information security officer. This officer reports directly to\n       the CIO regarding the implementation and maintenance of the Department\xe2\x80\x99s information\n       security program and security policies.\n   \xe2\x80\xa2   The Under Secretary for Management designated the CIO as the designated approving\n       authority (DAA), responsible for making risk acceptance determinations for information\n       technology on behalf of the Department. Based on mission criticality, the DAA may\n       accept risk and grant either an approval to operate or an interim approval to operate if the\n       system does not meet requirements.\n   \xe2\x80\xa2   The Under Secretary for Management also agreed to several changes in the respective\n       roles and responsibilities of the Bureaus of Diplomatic Security (DS) and Information\n       Resource Management (IRM) over information security. For example, DS is responsible\n       for developing and recommending computer security policies, while the CIO, who is\n       under IRM, has final review and approval authority for such policies.\n\nConcerning the enforcement of GISRA responsibilities and authorities, 5 FAM 619 requires that\nDepartment systems undergo certification and accreditation evaluation by DS before\nimplementation. Further, the directive states that project managers should estimate the cost of\nincorporating each safeguard or countermeasure into a system.\n\nThe Department has established information technology (IT) review boards to evaluate and\napprove certain projects. According to the Foreign Affairs Handbook (5 FAH-5 H-116), boards\ndetermine if projects will benefit the mission of the Department as outlined in the Department\xe2\x80\x99s\nStrategic Plan. Specifically, the Information Technology Program Board reviews projects with a\nlife cycle cost of $30 million or more, or those determined by the Under Secretary for\nManagement to be of critical importance to the mission. Further, the Management Review\nAdvisory Group and the Technical Review Advisory Group evaluate projects with life cycle\nvalues of less than $30 million. Generally, department bureaus and overseas missions can make\nroutine IT investment decisions (less than $100,000) without review by and concurrence of the\nCIO.\n\nAs part of its IT Capital Planning Process, the Department requires bureaus to submit budget\ninformation on all IT projects, regardless of funding source, into the IT Investment Portfolio\nSystem (I-TIPS). For FY 2004, bureaus were required to submit project information by June 7,\n2002, in order to be considered for inclusion in the Department\xe2\x80\x99s budget request.\n\n\n2. How does the head of the agency ensure that the agency\xe2\x80\x99s information security program is practiced\nthroughout the life cycle of each agency system? During the reporting period, did the agency head\ntake any specific and direct actions to oversee the performance of 1) agency program officials and 2)\nthe CIO to verify that such officials are ensuring that security plans are up-to-date and practiced\nthroughout the life cycle of each system?\n\nIn December 2001, OMB notified the Department that it had disapproved its security program,\nlargely on the basis of the Department\xe2\x80\x99s GISRA report and the serious issues found, and its own\nreviews of security integration in the capital planning process.\n\n\n\n                                       UNCLASSIFIED                                                5\n\x0c                                           UNCLASSIFIED\n\nIn response, in March 2002, the Under Secretary for Management directed DS and IRM to\ndevelop a plan to address incomplete planning and certification and accreditation of individual\nsystems. Specifically, the Under Secretary directed DS and IRM to develop plans to:\n\n    \xe2\x80\xa2   implement fully the National Information Assurance Certification and Accreditation\n        Process (NIACAP) in the Department. The plan must include performance-based,\n        competitive sourcing options, and budget impact statements for all options presented.\n    \xe2\x80\xa2   eliminate quickly and efficiently the current systems certification and accreditation\n        backlog. This plan must also include performance-based, competitive sourcing options,\n        and budget impact statements for all options presented.\n\nIn July 2002, the Under Secretary for Management approved a proposal by DS and IRM to\nimplement NIACAP across the Department, including quick and efficient certification and\naccreditation of all Department systems, networks, applications, domains, and sites. The plan\nidentifies five major issue areas (education, documentation, applications, sites, and remediation)\nthat need to be addressed in order to implement NIACAP.\n\n\n3. How has the agency integrated its information and information technology security program with\nits critical infrastructure protection responsibilities, and other security programs (e.g., continuity of\noperations, and physical and operational security)? (Sections 3534 (a)(1)(B) and (b)(1) of the Security\nAct.) Does the agency have separate staffs devoted to other security programs, are such programs\nunder the authority of different agency officials, if so what specific efforts have been taken by the\nagency head or other officials to eliminate unnecessary duplication of overhead costs and ensure that\npolicies and procedures are consistent and complimentary across the various programs and\ndisciplines?\n\nGenerally, the Department has not integrated its information technology security program with\nits critical infrastructure protection (CIP) responsibilities and other security programs. It has,\nhowever, taken a number of steps to strengthen its approach to CIP. Specifically, in February\n2002, the Under Secretary for Management decided to:\n\n    \xe2\x80\xa2   establish a formal Department-wide CIP program that will be managed and resource-\n        loaded over a multiyear planning period that is aligned with the Department\xe2\x80\x99s budget and\n        planning process to achieve CIP objectives for domestic and overseas operations; and\n    \xe2\x80\xa2   assign lead responsibility for formulation and execution of the Department-wide CIP\n        program to the Assistant Secretary for Resource Management.\n\nIn April 2002, the Assistant Secretary for Resource Management established the Tier One\nGovernance Board, which is comprised of senior managers who are responsible for the\nDepartment\xe2\x80\x99s infrastructure. The board is supposed to facilitate the decision-making process on\npolicy and priorities related to CIP objectives.\n\nFinally, the Department has a wide variety of security programs at its bureaus and overseas\nmissions operating under the authority of different agency officials. Thus far, there have been no\nspecific efforts taken by the agency head or other officials to eliminate unnecessary duplication\nof overhead costs and ensure that policies and procedures are consistent and complementary\nacross the various programs and disciplines.\n\n                                         UNCLASSIFIED                                                  6\n\x0c                                               UNCLASSIFIED\n4. Has the agency undergone a Project Matrix review? If so, describe the steps the agency has taken\nas a result of the review. If no, describe how the agency identifies its critical operations and assets,\ntheir interdependencies and interrelationships, and how they secure those operations and assets.\n\nThe Department has not undergone a Project Matrix review. In December 2001, the\nDepartment\xe2\x80\x99s Critical Infrastructure Protection Governance Board agreed to participate in\nProject Matrix. Because of limitations on the collection, processing, and controlling of classified\nand highly sensitive information, the Department\xe2\x80\x99s participation has been limited to that of\nproviding unclassified materials. At this time, the Department is developing its approach to\nidentifying its critical operations and assets, their interdependencies and interrelationships, and\nhow they secure those operations and assets.\n\n\n5. How does the agency head ensure that the agency, including all components, has documented\nprocedures for reporting security incidents and sharing information regarding common\nvulnerabilities? Identify and describe the procedures for external reporting to law enforcement\nauthorities and to the General Services Administration\xe2\x80\x99s Federal Computer Incident Response Center\n(FedCIRC). Identify actual performance according to the measures and the number of incidents\nreported in the format provided below. (Section 3534(b)(2)(F)(i)-(iii) of the Security Act.)\n\n\n                              TABLE B.1:   RESPONSIBILITIES OF AGENCY HEAD\n\n        Total number of agency components including bureaus, field activities (functional\n 5a                                                                                               344\n        areas and worldwide transmitting sites).\n 5b     Number of agency components with incident handling and response capability.              344\n 5c     Number of agency components that report to FedCIRC.                                  1 (DS CIRT)\n        Does the agency and its major components share incident information with\n 5d                                                                                               Yes\n        FedCIRC in a timely manner consistent with FedCIRC and OMB guidance?\n        What is the required average time to report to the agency and FedCIRC following     Varies case-by-\n 5e\n        an incident?                                                                             case\n                                                                                            Engineering a\n        How does the agency, including the programs within major components, confirm\n 5f                                                                                         comprehensive\n        that patches have been tested and installed in a timely manner?\n                                                                                               process\n                                                                             FY 2001           FY 2002\n        By agency and individual component, number of incidents\n                                                                                            As of July 1:\n        (e.g., successful and unsuccessful network penetrations, root or    1,441 CIRT\n                                                                                                1,085\n 5g     user account compromises, denial of service attacks, website\n                                                                                            As of July 30:\n        defacing attacks, malicious code and virus, probes and scans,      239,272 VIRT\n                                                                                              181,180\n        password access) reported by each component.\n        By agency and individual component, number of incidents\n 5h                                                                            118          As of July 1: 70\n        reported externally to FedCIRC or law enforcement.\n      Note 1: CIRT is Computer Incident Response Team\n      Note 2: VIRT is Virus Incident Response Team\n      Note 3: FedCIRC is Federal Computer Incident Response Capability\n\nOIG did not evaluate the Department\xe2\x80\x99s incident handling policy and procedures. This area of\ninterest will be included in OIG\xe2\x80\x99s work for FY 2003 under the proposed Federal Information\nSecurity Management Act. The information shown in Table B.1 was provided by the CIO and\nhas not been verified.\n\n                                             UNCLASSIFIED                                                      7\n\x0c                                                     UNCLASSIFIED\n\nC. Responsibilities of Agency Program Officials\n     1. Have agency program officials: 1) assessed the risk to operations and assets under their control;\n     2) determined the level of security appropriate to protect such operations and assets; 3) maintained an\n     up-to-date security plan (that is practiced throughout the life cycle) for each system supporting the\n     operations and assets under their control; and 4) tested and evaluated security controls and\n     techniques? (Section 3534(a)(2) of the Security Act.)\n\n     According to OIG\xe2\x80\x99s survey results, the Department identified 358 systems and applications in\n     FY 2002 (compared with 370 in FY 2001). Generally, OIG\xe2\x80\x99s survey indicates that there is\n     significant room for improvement. As Table C.1 shows, bureaus reported in FY 2002 that 72\n     percent of their systems had security-level determinations. However, bureaus also reported in\n     FY 2002 that only four percent of their systems are certified and accredited, and only 15 percent\n     of systems have security plans. The tables below provide the survey results for the Department\n     as a whole, and for each bureau.\n\n\n                                TABLE C.1: DEPARTMENT OF STATE \xe2\x80\x93               AGENCY TOTALS\n\n                                                                                    FY 2001                  FY 2002\n                                                                                 Number Percent           Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                    370                      358\n     Department survey\n1a   Systems that have been assessed for risk                                       219          59          201            56\n1b   Systems that have been assigned a security level determination                 256          69          257            72\n1c   Systems that have an up-to-date security plan                                  38           10           53            15\n     Systems that have been authorized for processing following\n1d                                                                                  18            5          16             4\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                  352          95          342            96\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                  162          44          164            46\n     in the last year\n     Note: Section C, questions 1f (cost of security controls), 1h (contingency plan), and 1i (contingency plan tested in\n     last year) were not addressed in the OIG survey.\n\n\n\n\n                                                   UNCLASSIFIED                                                             8\n\x0c                                                    UNCLASSIFIED\n\n\n                                       TABLE C.2:   BUREAU OF ADMINISTRATION\n\n                                                                                 FY 2001                 FY 2002\n                                                                              Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                  55                      28\n     Department survey\n1a   Systems that have been assessed for risk                                      8          15          7              25\n1b   Systems that have been assigned a security level determination               39          71          8              29\n1c   Systems that have an up-to-date security plan                                5           9           6              21\n     Systems that have been authorized for processing following\n1d                                                                                4           7           5              18\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                51          93          23             82\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                4           7           3              11\n     in the last year\n     Note: The 55 systems shown for the Bureau of Administration are the total reported before May 15, 2001, when the\n     Office of Foreign Buildings Operations (FBO) was still part of the bureau. After that date, FBO became a separate\n     Bureau of Overseas Buildings Operations, reporting directly to the Under Secretary for Management.\n\n\n\n                                      TABLE C.3:   BUREAU OF CONSULAR AFFAIRS\n\n                                                                                 FY 2001                 FY 2002\n                                                                              Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                  36                      36\n     Department survey\n1a   Systems that have been assessed for risk                                     23          64          25             69\n1b   Systems that have been assigned a security level determination                8          22          17             47\n1c   Systems that have an up-to-date security plan                                0           0           15             42\n1d   Systems that have been authorized for processing following\n                                                                                  2           6           4              11\n     certification and accreditation\n1e   Systems that are operating without written authorization (including\n                                                                                  34          94          32             89\n     the absence of certification and accreditation)\n1g   Systems for which security controls have been tested and evaluated\n                                                                                  1           3           17             47\n     in the last year\n\n\n\n\n                                                 UNCLASSIFIED                                                        9\n\x0c                                                    UNCLASSIFIED\n\n\n                                    TABLE C.4:   BUREAU OF DIPLOMATIC SECURITY\n\n                                                                                  FY 2001                 FY 2002\n                                                                               Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                  51                       46\n     Department survey\n1a   Systems that have been assessed for risk                                     46           90          46          100\n1b   Systems that have been assigned a security level determination               47           92          46          100\n1c   Systems that have an up-to-date security plan                                0            0           0            0\n     Systems that have been authorized for processing following\n1d                                                                                 1           2           0            0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                50           98          46          100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                46           90          46          100\n     in the last year\n\n\n                TABLE C.5:   BUREAU OF DIPLOMATIC SECURITY, OFFICE OF FOREIGN MISSIONS\n\n                                                                                  FY 2001                 FY 2002\n                                                                               Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                               See Note                    4\n     Department survey\n1a   Systems that have been assessed for risk                                                              0             0\n1b   Systems that have been assigned a security level determination                                        1            25\n1c   Systems that have an up-to-date security plan                                                         1            25\n     Systems that have been authorized for processing following\n1d                                                                                                         0            0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                                         4           100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                                         0            0\n     in the last year\n     Note: In FY 2001, the Office of Foreign Missions\xe2\x80\x99 data were rolled into the Bureau of Diplomatic Security data.\n\n\n                             TABLE C.6:    BUREAU OF EAST ASIAN AND PACIFIC AFFAIRS\n\n                                                                                  FY 2001                 FY 2002\n                                                                               Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                   1                       1\n     Department survey\n1a   Systems that have been assessed for risk                                      0           0           0            0\n1b   Systems that have been assigned a security level determination                0           0           1           100\n1c   Systems that have an up-to-date security plan                                 0           0           0            0\n     Systems that have been authorized for processing following\n1d                                                                                 1          100          0            0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                 0           0           1           100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                 0           0           1           100\n     in the last year\n\n                                                  UNCLASSIFIED                                                         10\n\x0c                                                    UNCLASSIFIED\n\n\n                          TABLE C.7:   BUREAU OF EDUCATIONAL AND CULTURAL AFFAIRS\n\n                                                                                  FY 2001                 FY 2002\n                                                                               Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                  40                       38\n     Department survey\n1a   Systems that have been assessed for risk                                     30          75           23       61\n1b   Systems that have been assigned a security level determination               32          80           38       100\n1c   Systems that have an up-to-date security plan                                12          30           11        29\n     Systems that have been authorized for processing following\n1d                                                                                 0           0           0         0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                40          100          38       100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                 0           0           0         0\n     in the last year\n     Note: The Bureau of Educational and Cultural Affairs response also includes the Coordinator of International\n     Information Programs office.\n\n\n\n                                       TABLE C.8:   BUREAU OF EUROPEAN AFFAIRS\n\n                                                                                  FY 2001                 FY 2002\n                                                                               Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                                   5                       5\n     Department survey\n1a   Systems that have been assessed for risk                                      0           0           0         0\n1b   Systems that have been assigned a security level determination                0           0           0         0\n1c   Systems that have an up-to-date security plan                                 0           0           0         0\n     Systems that have been authorized for processing following\n1d                                                                                 0           0           0         0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                 5          100          5        100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                 0           0           0         0\n     in the last year\n\n\n\n\n                                                  UNCLASSIFIED                                                      11\n\x0c                                                   UNCLASSIFIED\n\n\n                                      TABLE C.9:   FOREIGN SERVICE INSTITUTE\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             2                2\n     Department survey\n1a   Systems that have been assessed for risk                                0       0        1       50\n1b   Systems that have been assigned a security level determination          2      100       2      100\n1c   Systems that have an up-to-date security plan                           0       0        1      50\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           2      100       2      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           2      100       0       0\n     in the last year\n\n\n                                    TABLE C.10:    BUREAU OF HUMAN RESOURCES\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             20               20\n     Department survey\n1a   Systems that have been assessed for risk                                 4      20       3       15\n1b   Systems that have been assigned a security level determination          18      90       18      90\n1c   Systems that have an up-to-date security plan                           6       30       6       30\n     Systems that have been authorized for processing following\n1d                                                                           1       5        2       10\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           19      95       18      90\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           19      95       19      95\n     in the last year\n\n\n                       TABLE C.11:   BUREAU OF INFORMATION RESOURCE MANAGEMENT\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             29               29\n     Department survey\n1a   Systems that have been assessed for risk                                12      41       11      38\n1b   Systems that have been assigned a security level determination          11      38       11      38\n1c   Systems that have an up-to-date security plan                           7       24       8       28\n     Systems that have been authorized for processing following\n1d                                                                           3       10       2       7\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           26      90       27      93\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           2       7        3       10\n     in the last year\n\n\n                                                UNCLASSIFIED                                         12\n\x0c                                                  UNCLASSIFIED\n\n\n                                   TABLE C.12:   OFFICE OF INSPECTOR GENERAL\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             6                8\n     Department survey\n1a   Systems that have been assessed for risk                                5      83        5       63\n1b   Systems that have been assigned a security level determination          6      100       6       75\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           6      100       8      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           6      100       6       75\n     in the last year\n\n\n                             TABLE C.13:   BUREAU OF INTELLIGENCE AND RESEARCH\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             3                3\n     Department survey\n1a   Systems that have been assessed for risk                                2      67        2      67\n1b   Systems that have been assigned a security level determination          3      100       3      100\n1c   Systems that have an up-to-date security plan                           2      67        2      67\n     Systems that have been authorized for processing following\n1d                                                                           1       33       1       33\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           2       67       2       67\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           1       33       1       33\n     in the last year\n\n\n          TABLE C.14:   BUREAU OF INTERNATIONAL NARCOTICS AND LAW ENFORCEMENT AFFAIRS\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             1                1\n     Department survey\n1a   Systems that have been assessed for risk                                1      100       1      100\n1b   Systems that have been assigned a security level determination          1      100       1      100\n1c   Systems that have an up-to-date security plan                           1      100       1      100\n     Systems that have been authorized for processing following\n1d                                                                           1      100       0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           0       0        1      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           1      100       1      100\n     in the last year\n\n\n                                                UNCLASSIFIED                                         13\n\x0c                                                  UNCLASSIFIED\n\n\n                     TABLE C.15:   BUREAU OF INTERNATIONAL ORGANIZATIONAL AFFAIRS\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             2                2\n     Department survey\n1a   Systems that have been assessed for risk                                2      100       2      100\n1b   Systems that have been assigned a security level determination          2      100       2      100\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           2      100       2      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           0       0        0       0\n     in the last year\n\n\n                                    TABLE C.16:   OFFICE OF THE LEGAL ADVISER\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             5                5\n     Department survey\n1a   Systems that have been assessed for risk                                0       0        0       0\n1b   Systems that have been assigned a security level determination          0       0        0       0\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           5      100       5      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           0       0        0       0\n     in the last year\n\n\n                                    TABLE C.17:   OFFICE OF MEDICAL SERVICES\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             3                3\n     Department survey\n1a   Systems that have been assessed for risk                                3      100       2      67\n1b   Systems that have been assigned a security level determination          3      100       3      100\n1c   Systems that have an up-to-date security plan                           3      100       0       0\n     Systems that have been authorized for processing following\n1d                                                                           3      100       0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           0       0        3      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           3      100       2       67\n     in the last year\n\n\n                                                UNCLASSIFIED                                         14\n\x0c                                                  UNCLASSIFIED\n\n\n                                   TABLE C.18:   BUREAU OF NONPROLIFERATION\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             2                2\n     Department survey\n1a   Systems that have been assessed for risk                                0       0        0       0\n1b   Systems that have been assigned a security level determination          2      100       2      100\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           2      100       2      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           0       0        0       0\n     in the last year\n\n\n     TABLE C.19:   BUREAU OF OCEANS AND INTERNATIONAL ENVIRONMENTAL AND SCIENTIFIC AFFAIRS\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             5                5\n     Department survey\n1a   Systems that have been assessed for risk                                5      100       5      100\n1b   Systems that have been assigned a security level determination          5      100       5      100\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           5      100       5      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           0       0        0       0\n     in the last year\n\n\n\n\n                                                UNCLASSIFIED                                         15\n\x0c                                                    UNCLASSIFIED\n\n\n                                   TABLE C.20:    OVERSEAS BUILDINGS OPERATIONS\n\n                                                                                 FY 2001                 FY 2002\n                                                                              Number Percent          Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                              See Note                    29\n     Department survey\n1a   Systems that have been assessed for risk                                                              1          3\n1b   Systems that have been assigned a security level determination                                       29         100\n1c   Systems that have an up-to-date security plan                                                         0          0\n     Systems that have been authorized for processing following\n1d                                                                                                        0              0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                                                        29         100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                                                        0              0\n     in the last year\n     Note: The 55 systems shown for the Bureau of Administration are the total reported before May 15, 2001, when the\n     Office of Foreign Buildings Operations (FBO) was still part of the bureau. After that date, FBO became a separate\n     Overseas Buildings Operations, reporting directly to the Under Secretary for Management.\n\n\n\n                       TABLE C.21:    BUREAU OF POPULATION, REFUGEES, AND MIGRATION\n\n                                                                                 FY 2001                 FY 2002\n                                                                              Number Percent          Number Percent\n      Total systems and major applications reported to OIG in its\n                                                                                  2                       2\n      Department survey\n1a    Systems that have been assessed for risk                                    0           0           0              0\n1b    Systems that have been assigned a security level determination              0           0           0              0\n1c    Systems that have an up-to-date security plan                               0           0           0              0\n      Systems that have been authorized for processing following\n1d                                                                                0           0           0              0\n      certification and accreditation\n      Systems that are operating without written authorization (including\n1e                                                                                2          100          2          100\n      the absence of certification and accreditation)\n      Systems for which security controls have been tested and evaluated\n1g                                                                                0           0           0              0\n      in the last year\n\n\n\n\n                                                 UNCLASSIFIED                                                       16\n\x0c                                                  UNCLASSIFIED\n\n\n                                      TABLE C.22:   BUREAU OF PUBLIC AFFAIRS\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             5                5\n     Department survey\n1a   Systems that have been assessed for risk                                1       20       1       20\n1b   Systems that have been assigned a security level determination          1       20       1       20\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           5      100       5      100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           0       0        0       0\n     in the last year\n\n\n                                TABLE C.23:   BUREAU OF RESOURCE MANAGEMENT\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             22               23\n     Department survey\n1a   Systems that have been assessed for risk                                2       9        5       22\n1b   Systems that have been assigned a security level determination          1       5        2       9\n1c   Systems that have an up-to-date security plan                           2       9        2       9\n     Systems that have been authorized for processing following\n1d                                                                           1       5        2       9\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           21      95       21      91\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           3       14       5       22\n     in the last year\n\n\n                                      TABLE C.24:   OFFICE OF THE SECRETARY\n\n                                                                              FY 2001          FY 2002\n                                                                           Number Percent   Number Percent\n     Total systems and major applications reported to OIG in its\n                                                                             75               61\n     Department survey\n1a   Systems that have been assessed for risk                                75     100       61     100\n1b   Systems that have been assigned a security level determination          75     100       61     100\n1c   Systems that have an up-to-date security plan                           0       0        0       0\n     Systems that have been authorized for processing following\n1d                                                                           0       0        0       0\n     certification and accreditation\n     Systems that are operating without written authorization (including\n1e                                                                           75     100       61     100\n     the absence of certification and accreditation)\n     Systems for which security controls have been tested and evaluated\n1g                                                                           74      99       60      98\n     in the last year\n\n\n                                                UNCLASSIFIED                                         17\n\x0c                                                  UNCLASSIFIED\n   2. For operations and assets under their control, have agency program officials used appropriate\n   methods (e.g., audits or inspections) to ensure that contractor provided services (e.g., network or\n   website operations) or services provided by another agency for their program and systems are\n   adequately secure and meet the requirements of the Security Act, OMB policy and NIST guidance,\n   national security policy, and agency policy? Identify actual performance according to the measures\n   and in the format provided below. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the\n   Security Act.)\n\n   OIG did not evaluate the Department or program officials\xe2\x80\x99 handling of contractor or other\n   agency information services provided to the Department. This area of interest will be included in\n   the OIG\xe2\x80\x99s work for FY 2003 under the proposed Federal Information Security Management Act.\n\n\nD. Responsibilities of Agency Chief Information Officers\n   1. Has the agency CIO: 1) adequately maintained an agency-wide security program; 2) ensured\n   the effective implementation of the program and evaluated the performance of major agency\n   components; and 3) ensured the training of agency employees with significant security\n   responsibilities? Identify actual performance according to the measures and in the format provided\n   below. (Section 3534(a)(3)-(5)) and (Section 3534(a)(3)(D), (a)(4), (b)(2)(C)(i)-(ii) of the Security Act.)\n\n\n                  TABLE D.1:   RESPONSIBILITIES OF AGENCY CHIEF INFORMATION OFFICERS\n\n                                                                                    FY 2001       FY 2002\n           Other than GAO or IG audits and reviews, how many agency\n    1a                                                                                N/A        161 IV&V\n           components and field activities received security reviews?\n           What percentage of components and field activities have had such\n    1b                                                                                N/A         unknown\n           reviews?\n    1c     Number of agency employees including contractors.                         25,604        31,975\n           Number and percentage of agency employees including contractors\n                                                                                                   16,365\n    1d     that received security training. (1-hour security training for OpenNet     N/A\n                                                                                                    51%\n           Plus users)\n    1e     Number of employees with significant security responsibilities             N/A         unknown\n           Number of employees with significant security responsibilities that\n    1f                                                                                325          2,800\n           received specialized training.\n    1g     Briefly describe what types of security training were available.         narrative     narrative\n           Do agency POA&Ms account for all known agency security\n                                                                                                    No -\n    1i     weaknesses including of all components and field activities? If no,        N/A\n                                                                                                  narrative\n           why not?\n    1j     Has the CIO appointed a senior agency information security official?       Yes           Yes\n         Note 1: POA&Ms are plans of action and milestones reports\n\n   1) Adequately maintained an agency-wide security program.\n\n   The CIO has not adequately maintained an agency-wide security program, in part because all the\n   elements of such a program are not in place, or have not been implemented. First, as OIG states\n   in its evaluation report, the Systems Security Program Plan (SSPP), which provides an overview\n   of the Department\xe2\x80\x99s management approach to information security, was not revised to address\n   the requirements resulting from GISRA\xe2\x80\x99s enactment and does not reflect changes and\n   delegations of authority made within the Department to meet GISRA requirements.\n                                          UNCLASSIFIED                                           18\n\x0c                                             UNCLASSIFIED\n\nThe Department is currently revising the SSPP so that it is consistent with GISRA.\n\nSecond, a critical element of the SSPP, certification and accreditation, has not been implemented\nacross the Department. According to the SSPP, the certification and accreditation process is the\nprimary vehicle for the implementation of IT risk management for the Department. Further, the\nSSPP states that this process is designed to ensure that IT security requirements established by\nlaw and by Department policy are met and followed to ensure that the Department\xe2\x80\x99s information\nsecurity posture is not adversely impacted. Toward that end, in July 2002, the Under Secretary\nfor Management approved a strategy developed by DS and IRM to implement NIACAP,\nincluding quick and efficient certification and accreditation of all Department systems, networks,\napplications, domains, and sites. The strategy identifies five major areas (education,\ndocumentation, applications, sites, and remediation) that need to be addressed. However, as OIG\nreported in its FY 2002 GISRA evaluation, the Department has not developed a timetable for\ncertification and accreditation of all systems, and as of August 2002, only four percent of its\nsystems had been certified and accredited.\n\nThird, for FY 2002, the Department had not developed and implemented information security\nperformance measures to support strategic goals. Without meaningful and measurable\nperformance measures, the Department was not able to implement a results-based information\nsecurity management program. To resolve this problem, in August 2002, the CIO issued the\nDepartment\xe2\x80\x99s FY 2003 Information Assurance Performance Measures Plan, and requested that\nall bureaus and missions implement procedures for collecting and submitting data in accordance\nwith the plan. The CIO directed that collection of data should begin no later than October 1,\n2002.\n\nTo address weaknesses in the Department\xe2\x80\x99s security program, the CIO has approved the\nestablishment of the Office of Information Assurance (IA). The new directorate reports to the\ndeputy assistant secretary (deputy chief information officer) and has had a significant number of\nresources, both financial and staff, assigned commensurate with its new and increased\nresponsibilities. The purpose of this office is to plan, manage, and track the Department\xe2\x80\x99s IT\nsecurity program in accordance with government mandates. The IA Office supports the DAA\nand CIO in accrediting systems and applications that have undergone the certification process.\nThe IA Office is also responsible for developing the Departmental Information Assurance\nProgram Plan that acts as an implementation guide for IT security throughout the Department.\n\n2) Ensured the effective implementation of the program and evaluated the performance of\n   major agency components.\n\nThe CIO has not ensured effective implementation of the security program. As OIG reported in\nits evaluation of the Department\xe2\x80\x99s information security program, the CIO is making slow\nprogress in addressing the information security weaknesses identified in OIG\xe2\x80\x99s September 2001\nGISRA report.6 Specifically, OIG reported that there is significant room for improvement in\ninformation security management throughout the Department. For example, although 72 percent\nof the Department\xe2\x80\x99s 358 systems were reported to have security level determinations, only 15\npercent were reported to have security plans. In addition, OIG reported that information security\ndeficiencies at overseas missions increase the risk that mission operations could be disrupted.\n6\n Senior Management Attention Needed to Ensure Effective Implementation of the Government Information Security\nReform Act (Report Number 01-IT-M-082, Sept. 2001)\n                                           UNCLASSIFIED                                                   19\n\x0c                                                 UNCLASSIFIED\n\nFor example, OIG noted that none of the missions visited had developed a mission-wide\ninformation systems security plan. Further, OIG found that because of weaknesses in the\nDepartment\xe2\x80\x99s management, technical, and operational controls, IT systems could be\ncompromised through a variety of means.\n\nFinally, the CIO has made progress in evaluating the performance of major components. As part\nof OpenNet Plus7 implementation, the CIO is assessing information security at missions and\nbureaus through the connection approval process. So far, 23 bureaus and about 141 missions\nhave had independent verification and validation (IV&V) of their respective IT infrastructures,\nwhich measures the extent to which each site complies with the Department\xe2\x80\x99s IT security\nconfiguration. Missions must show that they comply with existing security standards prior to\nreceiving internet web services from OpenNet Plus.\n\n3) Ensured the training of agency employees with significant security responsibilities.\n\nThe Department has made progress in addressing the information security training needs of its\nemployees. The SSPP identifies 13 roles or functions that have significant security\nresponsibilities. Each function impacts the design, execution, or evaluation of automated\ninformation systems (AIS) security procedures and practices. Specialized AIS security training\nhas been developed or is planned for eight of the functions. The eight functions include\nAmbassadors and Chiefs of Mission, system owners, information management officers (IMO),\nsystem administrators, information system security officers (ISSO), security engineering officers,\nregional security officers (RSO), and regional computer security officers (RCSO).\n\nUnder the Automated Information Systems Security Training Program (AISSTP), courses of\ninstruction vary according to a group\xe2\x80\x99s responsibility, as established by the Department, and last\nup to five days. With the exception of RCSOs, for whom the AISSTP office arranges specialized\noutside instruction, all classes are developed and presented by DS. Classes are presented\nworldwide throughout the year. In FY 2002, a total of 44 classes will have been presented.\n\nUntil FY 2002, the ISSO basic course was the only training presented by AISSTP. About 1,100\npeople have attended this course in the four years it has been presented. Everyone was provided\nwith the same content regardless of his or her role. The AISSTP recognized that this did not\nconform to federal requirements and started the development and delivery of new courses. Two\nof them, AIS Security for System Administrators and AIS Security for RSOs, were started in FY\n2002. Another course, AIS Security for IMOs, is expected to debut within three months.\nAISSTP expects to develop instruction for all of the groups mentioned above. It is anticipated\nthat 700 people will receive AIS security training in FY 2003.\n\nThe Department also conducts computer security awareness training to ensure the\nconfidentiality, integrity, and availability of its information. Pursuant to this duty, DS\xe2\x80\x99s\ncustomer support branch is responsible for the Computer Security Awareness Program.\nComputer security \xe2\x80\x9cawareness\xe2\x80\x9d is required for all employees because IT security is part of every\nemployee\xe2\x80\x99s job, and awareness supports individual accountability. Thus, the program is\ndesigned to increase the awareness of all those in the Department who are permitted access to the\nsystems.\n\n7\n    OpenNet Plus is the Department\xe2\x80\x99s program to provide worldwide desktop Internet access to its employees.\n                                               UNCLASSIFIED                                                   20\n\x0c                                            UNCLASSIFIED\n\n\n4) Do plans of action and milestones reports account for all known security weaknesses.\n\nNot all known security weaknesses are addressed by the Department\xe2\x80\x99s plans of action and\nmilestones reports. For example, the Department\xe2\x80\x99s July 2002 update does not reflect security\nweaknesses identified by OIG in its February 2002 report on the Classified Connectivity\nProgram. Nor does it address reported weaknesses in the Department\xe2\x80\x99s critical infrastructure\nprotection program, among others. The Department uses a number of reporting vehicles to\ndocument and provide status of security vulnerabilities including project plans, working group\nreports, corrective action reports, corrective action plans, remediation reports, as well as plans of\naction and milestones reports. However, corrective action plans and plans of action and\nmilestones are not currently integrated as a complete and comprehensive, single source for\neliminating known and documented vulnerabilities for programs and systems within the\nDepartment.\n\n\n2. For operations and assets under their control (e.g., network operations), has the agency CIO used\nappropriate methods (e.g., audits or inspections) to ensure that contractor provided services (e.g.,\nnetwork or website operations) or services provided by another agency are adequately secure and meet\nthe requirements of the Security Act, OMB policy and NIST guidance, national security policy, and\nagency policy? Identify actual performance according to the measures and in the format provided\nbelow. (Sections 3532(b)(2), 3533(b)(2), 3534(a)(1)(B) and (b)(1) of the Security Act.)\n\n\n          TABLE D.2:   DEPARTMENT OF STATE CONTRACTOR OPERATIONS FACILITIES\n\n                                                                                FY 2001     FY 2002\n2a   Number of contractor operations.                                             16          23\n2b   Number of contractor operations or facilities reviewed.                       9          16\n\nOIG did not evaluate the Department or CIO\xe2\x80\x99s handling of contractor or other agency\ninformation services provided to the Department. This area of interest will be included in the\nOIG\xe2\x80\x99s work for FY 2003 under the proposed Federal Information Security Management Act.\nThe information shown in Table D.2 was provided by the CIO and has not been verified.\n\n\n\n\n                                          UNCLASSIFIED                                             21\n\x0c                                             UNCLASSIFIED\n\n3. Has the agency CIO fully integrated security into the agency\xe2\x80\x99s capital planning and investment\ncontrol process? Were security requirements and costs reported on every FY03 capital asset plan (as\nwell as in the exhibit 53) submitted by the agency to OMB? If no, why not? Identify actual\nperformance according to the measures and in the format provided below. (Sections 3533(a)(1)(A)-(B),\n(b)(3)(C)-(D), (b)(6) and 3534(a)(C) of the Security Act.)\n\n\n              TABLE D.3:    RESPONSIBILITIES OF AGENCY CHIEF INFORMATION OFFICER\n\n                                                                    FY 2003 Budget   FY 2004 Budget\n                                                                      Materials        Materials\n       Number of capital asset plans and justifications submitted\n 3a                                                                      22            In process\n       to OMB\n       Number of capital asset plans and justifications submitted\n 3b                                                                       0            In process\n       to OMB without requisite security information and costs?\n       Were security costs reported for all agency systems on the\n 3c                                                                      Yes           In process\n       agency\xe2\x80\x99s exhibit 53?\n 3d    Have all discrepancies been corrected?                          Unknown          Unknown\n       How many have the CIO/other appropriate official\n 3e                                                                      22            In process\n       independently validated prior to submittal to OMB?\n      Note: 3a - Capital asset plan is under development.\n\nOIG did not evaluate the extent to which the CIO has integrated security fully into the\nDepartment\xe2\x80\x99s capital planning and investment control process. However, as indicated in Table\nD.3, for FY 2003, the Department reports that all of its 22 capital asset plans and justifications\nwere submitted to OMB with the requisite security information and cost. In this process, the\nCIO relies on the IT Investment Portfolio System, which provides a detailed breakdown of new\nand ongoing projects and initiatives. Starting in FY 2002, a new mandatory section includes\nplanned and current security and privacy spending.\n\n\n\n\n                                           UNCLASSIFIED                                             22\n\x0c'